Show in Graph
Common Information
Type Value
Value 
User Execution - T1204
Category Attack-Pattern
Type Mitre-Enterprise-Attack-Attack-Pattern
Misp Type Cluster
Description An adversary may rely upon specific actions by a user in order to gain execution. This may be direct code execution, such as when a user opens a malicious executable delivered via Spearphishing Attachment with the icon and apparent extension of a document file. It also may lead to other execution techniques, such as when a user clicks on a link delivered via Spearphishing Link that leads to exploitation of a browser or application vulnerability via Exploitation for Client Execution. While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. Detection: Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads. Anti-virus can potentially detect malicious documents and files that are downloaded and execuited on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as Exploitation for Client Execution and Scripting. Platforms: Linux, Windows, macOS Data Sources: Anti-virus, Process command-line parameters, Process monitoring Permissions Required: User
Details Published Attributes CTI Title
Details Website 2022-08-17 100 UNC3890 | Suspected Iranian Threat Actor Targets Israel
Details Website 2022-08-17 24 THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control
Details Website 2022-08-17 100 Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors | Mandiant
Details Website 2022-08-16 1 Zeppelin Ransomware Detection: CISA and FBI Issue a Joint Advisory for Enhanced Protection Against RaaS Threats - SOC Prime
Details Website 2022-08-16 50 Anomali Cyber Watch: Ransomware Module Added to SOVA Android Trojan, Bitter APT Targets Mobile Phones with Dracarys, China-Sponsored TA428 Deploys Six Backdoors at Once, and More
Details Website 2022-08-16 53 Phishing Site used to Spread Typhon Stealer
Details Website 2022-08-15 11 Cuba Ransomware Detection: Tropical Scorpius Threat Actors Deploy Novel RAT Malware in Targeted Attacks - SOC Prime
Details Website 2022-08-11 36 MikuBot Spotted In The Wild
Details Website 2022-08-09 27 Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution.
Details Website 2022-08-03 19 LOLI Stealer – Golang-based InfoStealer spotted in the wild
Details Website 2022-08-02 57 Anomali Cyber Watch: Velvet Chollima Steals Emails from Browsers, Austrian Mercenary Leverages Zero-Days, China-Sponsored Group Uses CosmicStrand UEFI Firmware Rootkit, and More
Details Website 2022-08-02 26 Fake Atomic Wallet Website Distributing Mars Stealer
Details Website 2022-07-28 34 Emotet Downloader Document Uses Regsvr32 for Execution
Details Website 2022-07-26 65 New Wave of Emotet - When Project X Turns Into Y - Cynet
Details Website 2022-07-26 60 Mandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers | Mandiant
Details Website 2022-07-25 104 Shelob Moonlight – Spinning a Larger Web - Cynet
Details Website 2022-07-25 28 Luca Stealer Source Code Leaked on a Cybercrime Forum
Details Website 2022-07-21 29 Qakbot Resurfaces with new Playbook
Details Website 2022-07-19 33 Anomali Cyber Watch: H0lyGh0st Ransomware Earns for North Korea, OT Unlocking Tools Drop Sality, Switch-Case-Oriented Programming for ChromeLoader, and More
Details Website 2022-07-18 98 Ongoing Roaming Mantis smishing campaign targeting France
Details Website 2022-07-15 77 A Virtual Baffle to Battle SquirrelWaffle - Cynet
Details Website 2022-07-13 49 Targeted attack on Government Agencies
Details Website 2022-07-12 29 Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution
Details Website 2022-07-07 26 NoMercy Stealer Adding New Features
Details Website 2022-07-06 14 LockBit 3.0: "Making the ransomware great again" - Cluster25